The DES Algorithm Illustrated

by J. Orlin Grabbe

The DES (Data Encryption Standard) algorithm is the
most widely used encryption algorithm in the world. For
many years, and among many people, "secret code making" and
DES have been synonymous. And despite the recent coup by
the Electronic Frontier Foundation in creating a $220,000
machine to crack DES-encrypted messages, DES will live on in
government and banking for years to come through a life-
extending version called "triple-DES."

How does DES work? This article explains the various
steps involved in DES-encryption, illustrating each step by
means of a simple example. Since the creation of DES, many
other algorithms (recipes for changing data) have emerged
which are based on design principles similar to DES. Once
you understand the basic transformations that take place in
DES, you will find it easy to follow the steps involved in
these more recent algorithms.

But first a bit of history of how DES came about is
appropriate, as well as a look toward the future.

The National Bureau of Standards Coaxes the Genie from the Bottle

On May 15, 1973, during the reign of Richard Nixon, the
National Bureau of Standards (NBS) published a notice in the
Federal Register soliciting proposals for cryptographic
algorithms to protect data during transmission and storage.
The notice explained why encryption was an important issue.

Over the last decade, there has been an
accelerating increase in the accumulations and
communication of digital data by government,
industry and by other organizations in the private
sector. The contents of these communicated and
stored data often have very significant value
and/or sensitivity. It is now common to find data
transmissions which constitute funds transfers of
several million dollars, purchase or sale of
securities, warrants for arrests or arrest and
conviction records being communicated between law
enforcement agencies, airline reservations and
ticketing representing investment and value both
to the airline and passengers, and health and
patient care records transmitted among physicians
and treatment centers.

The increasing volume, value and confidentiality
of these records regularly transmitted and stored
by commercial and government agencies has led to
heightened recognition and concern over their
exposures to unauthorized access and use. This
misuse can be in the form of theft or defalcations
of data records representing money, malicious
modification of business inventories or the
interception and misuse of confidential
information about people. The need for protection
is then apparent and urgent.

It is recognized that encryption (otherwise known
as scrambling, enciphering or privacy
transformation) represents the only means of
protecting such data during transmission and a
useful means of protecting the content of data
stored on various media, providing encryption of
adequate strength can be devised and validated and
is inherently integrable into system architecture.
The National Bureau of Standards solicits proposed
techniques and algorithms for computer data
encryption. The Bureau also solicits recommended
techniques for implementing the cryptographic
function: for generating, evaluating, and
protecting cryptographic keys; for maintaining
files encoded under expiring keys; for making
partial updates to encrypted files; and mixed
clear and encrypted data to permit labelling,
polling, routing, etc. The Bureau in its role for
establishing standards and aiding government and
industry in assessing technology, will arrange for
the evaluation of protection methods in order to
prepare guidelines.

NBS waited for the responses to come in. It received
none until August 6, 1974, three days before Nixon's
resignation, when IBM submitted a candidate that it had
developed internally under the name LUCIFER. After
evaluating the algorithm with the help of the National
Security Agency (NSA), the NBS adopted a modification of the
LUCIFER algorithm as the new Data Encryption Standard (DES)
on July 15, 1977.

DES was quickly adopted for non-digital media, such as
voice-grade public telephone lines. Within a couple of
years, for example, International Flavors and Fragrances was
using DES to protect its valuable formulas transmitted over
the phone ("With Data Encryption, Scents Are Safe at IFF,"
Computerworld 14, No. 21, 95 (1980).)

Meanwhile, the banking industry, which is the largest
user of encryption outside government, adopted DES as a
wholesale banking standard. Standards for the wholesale
banking industry are set by the American National Standards
Institute (ANSI). ANSI X3.92, adopted in 1980, specified
the use of the DES algorithm.

Some Preliminary Examples of DES

DES works on bits, or binary numbers--the 0s and 1s
common to digital computers. Each group of four bits makes
up a hexadecimal, or base 16, number. Binary "0001" is
equal to the hexadecimal number "1", binary "1000" is equal
to the hexadecimal number "8", "1001" is equal to the
hexadecimal number "9", "1010" is equal to the hexadecimal
number "A", and "1111" is equal to the hexadecimal number
"F".

DES works by encrypting groups of 64 message bits,
which is the same as 16 hexadecimal numbers. To do the
encryption, DES uses "keys" where are also apparently 16
hexadecimal numbers long, or apparently 64 bits long.
However, every 8th key bit is ignored in the DES algorithm,
so that the effective key size is 56 bits. But, in any
case, 64 bits (16 hexadecimal digits) is the round number
upon which DES is organized.

For example, if we take the plaintext message
"8787878787878787", and encrypt it with the DES key
"0E329232EA6D0D73", we end up with the ciphertext
"0000000000000000". If the ciphertext is decrypted with the
same secret DES key "0E329232EA6D0D73", the result is the
original plaintext "8787878787878787".

This example is neat and orderly because our plaintext
was exactly 64 bits long. The same would be true if the
plaintext happened to be a multiple of 64 bits. But most
messages will not fall into this category. They will not be
an exact multiple of 64 bits (that is, an exact multiple of
16 hexadecimal numbers).

For example, take the message "Your lips are smoother
than vaseline". This plaintext message is 38 bytes (76
hexadecimal digits) long. So this message must be padded
with some extra bytes at the tail end for the encryption.
Once the encrypted message has been decrypted, these extra
bytes are thrown away. There are, of course, different
padding schemes--different ways to add extra bytes. Here we
will just add 0s at the end, so that the total message is a
multiple of 8 bytes (or 16 hexadecimal digits, or 64 bits).

The plaintext message "Your lips are smoother than
vaseline" is, in hexadecimal,

(Note here that the first 72 hexadecimal digits represent
the English message, while "0D" is hexadecimal for Carriage
Return, and "0A" is hexadecimal for Line Feed, showing that
the message file has terminated.) We then pad this message
with some 0s on the end, to get a total of 80 hexadecimal
digits:

This is the secret code that can be transmitted or stored.
Decrypting the ciphertext restores the original message
"Your lips are smoother than vaseline". (Think how much
better off Bill Clinton would be today, if Monica Lewinsky
had used encryption on her Pentagon computer!)

How DES Works in Detail

DES is a block cipher--meaning it operates on plaintext
blocks of a given size (64-bits) and returns ciphertext
blocks of the same size. Thus DES results in a permutation
among the 2^64 (read this as: "2 to the 64th power") possible arrangements of 64 bits, each of
which may be either 0 or 1. Each block of 64 bits is divided
into two blocks of 32 bits each, a left half block L and a
right half R. (This division is only used in certain
operations.)

Example: Let M be the plain text message M =
0123456789ABCDEF, where M is in hexadecimal (base 16)
format. Rewriting M in binary format, we get the 64-bit
block of text:

The first bit of M is "0". The last bit is "1". We read
from left to right.

DES operates on the 64-bit blocks using key sizes of 56-
bits. The keys are actually stored as being 64 bits long,
but every 8th bit in the key is not used (i.e. bits numbered
8, 16, 24, 32, 40, 48, 56, and 64). However, we will
nevertheless number the bits from 1 to 64, going left to
right, in the following calculations. But, as you will see,
the eight bits just mentioned get eliminated when we create
subkeys.

Example: Let K be the hexadecimal key K =
133457799BBCDFF1. This gives us as the binary key (setting
1 = 0001, 3 = 0011, etc., and grouping together every eight
bits, of which the last one in each group will be unused):

Step 1: Create 16 subkeys, each of which is 48-bits long.

The 64-bit key is permuted according to the following
table, PC-1. Since the first entry in the table is "57",
this means that the 57th bit of the original key K becomes
the first bit of the permuted key K+. The 49th bit of the
original key becomes the second bit of the permuted key.
The 4th bit of the original key is the last bit of the
permuted key. Note only 56 bits of the original key appear
in the permuted key.

With C0 and D0 defined, we now create sixteen blocks Cn
and Dn, 1<=n<=16. Each pair of blocks Cn and Dn is formed
from the previous pair Cn-1 and Dn-1, respectively, for n =
1, 2, ..., 16, using the following schedule of "left shifts"
of the previous block. To do a left shift, move each bit
one place to the left, except for the first bit, which is
cycled to the end of the block.

This means, for example, C3 and D3 are obtained from C2 and
D2, respectively, by two left shifts, and C16 and D16 are
obtained from C15 and D15, respectively, by one left shift.
In all cases, by a single left shift is meant a rotation of
the bits one place to the left, so that after one left shift
the bits in the 28 positions are the bits that were
previously in positions 2, 3,..., 28, 1.

Example: From original pair pair C0 and D0 we obtain:

C0 = 1111000011001100101010101111D0 = 0101010101100110011110001111

C1 = 1110000110011001010101011111D1 = 1010101011001100111100011110

C2 = 1100001100110010101010111111D2 = 0101010110011001111000111101

C3 = 0000110011001010101011111111D3 = 0101011001100111100011110101

C4 = 0011001100101010101111111100D4 = 0101100110011110001111010101

C5 = 1100110010101010111111110000D5 = 0110011001111000111101010101

C6 = 0011001010101011111111000011D6 = 1001100111100011110101010101

C7 = 1100101010101111111100001100D7 = 0110011110001111010101010110

C8 = 0010101010111111110000110011D8 = 1001111000111101010101011001

C9 = 0101010101111111100001100110D9 = 0011110001111010101010110011

C10 = 0101010111111110000110011001D10 = 1111000111101010101011001100

C11 = 0101011111111000011001100101D11 = 1100011110101010101100110011

C12 = 0101111111100001100110010101D12 = 0001111010101010110011001111

C13 = 0111111110000110011001010101D13 = 0111101010101011001100111100

C14 = 1111111000011001100101010101D14 = 1110101010101100110011110001

C15 = 1111100001100110010101010111D15 = 1010101010110011001111000111

C16 = 1111000011001100101010101111D16 = 0101010101100110011110001111

We now form the keys Kn, for 1<=n<=16, by applying the
following permutation table to each of the concatenated
pairs CnDn. Each pair has 56 bits, but PC-2 only uses 48 of
these.

Step 2: Encode each 64-bit block of data.

There is an initial permutationIP of the 64 bits of
the message data M. This rearranges the bits according to
the following table, where the entries in the table show the
new arrangement of the bits from their initial order. The
58th bit of M becomes the first bit of IP. The 50th bit of
M becomes the second bit of IP. The 7th bit of M is the
last bit of IP.

We now proceed through 16 iterations, for 1<=n<=16, using
a function f which operates on two blocks--a data block of
32 bits and a key Kn of 48 bits--to produce a block of 32
bits. Let + denote XOR addition, (bit-by-bit addition
modulo 2). Then for n going from 1 to 16 we calculate

Ln = Rn-1Rn = Ln-1 + f(Rn-1,Kn)

This results in a final block, for n = 16, of L16R16. That
is, in each iteration, we take the right 32 bits of the
previous result and make them the left 32 bits of the
current step. For the right 32 bits in the current step, we
XOR the left 32 bits of the previous step with the
calculation f .

It remains to explain how the function f works. To
calculate f, we first expand each block Rn-1 from 32 bits to
48 bits. This is done by using a selection table that
repeats some of the bits in Rn-1 . We'll call the use of
this selection table the function E. Thus E(Rn-1) has a 32
bit input block, and a 48 bit output block.

Let E be such that the 48 bits of its output, written
as 8 blocks of 6 bits each, are obtained by selecting the
bits in its inputs in order according to the following
table:

We have not yet finished calculating the function f .
To this point we have expanded Rn-1 from 32 bits to 48
bits, using the selection table, and XORed the result with
the key Kn . We now have 48 bits, or eight groups of six
bits. We now do something strange with each group of six
bits: we use them as addresses in tables called "S boxes".
Each group of six bits will give us an address in a
different S box. Located at that address will be a 4 bit
number. This 4 bit number will replace the original 6 bits.
The net result is that the eight groups of 6 bits are
transformed into eight groups of 4 bits (the 4-bit outputs
from the S boxes) for 32 bits total.

Write the previous result, which is 48 bits, in
the form:

Kn + E(Rn-1) =B1B2B3B4B5B6B7B8,

where each Bi is a group of six bits. We now calculate

S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8)

where Si(Bi) referres to the output of the i-th S
box.

To repeat, each of the functions S1, S2,..., S8, takes
a 6-bit block as input and yields a 4-bit block as output.
The table to determine S1 is shown and explained below:

If S1 is the function defined in this table and B is a block
of 6 bits, then S1(B) is determined as follows: The first
and last bits of B represent in base 2 a number in the
decimal range 0 to 3 (or binary 00 to 11). Let that number
be i. The middle 4 bits of B represent in base 2 a number
in the decimal range 0 to 15 (binary 0000 to 1111). Let
that number be j. Look up in the table the number in the i-th row and j-th column. It is a number in the range 0 to 15
and is uniquely represented by a 4 bit block. That block is
the output S1(B) of S1 for the input B. For example, for
input block B = 011011 the first bit is "0" and the last bit
"1" giving 01 as the row. This is row 1. The middle four
bits are "1101". This is the binary equivalent of decimal
13, so the column is column number 13. In row 1, column 13
appears 5. This determines the output; 5 is binary 0101, so
that the output is 0101. Hence S1(011011) = 0101.

In the next round, we will have L2 = R1, which is the
block we just calculated, and then we must calculate R2 =L1 + f(R1, K2), and so on for 16 rounds. At the end of the
sixteenth round we have the blocks L16 and R16. We then
reverse the order of the two blocks into the 64-bit block

This is the encrypted form of M = 0123456789ABCDEF: namely,
C = 85E813540F0AB405.

Decryption is simply the inverse of encryption,
follwing the same steps as above, but reversing the order in
which the subkeys are applied.

DES Modes of Operation

The DES algorithm turns a 64-bit message block M into a
64-bit cipher block C. If each 64-bit block is encrypted
individually, then the mode of encryption is called
Electronic Code Book (ECB) mode. There are two other modes
of DES encryption, namely Chain Block Coding (CBC) and
Cipher Feedback (CFB), which make each cipher block
dependent on all the previous messages blocks through an
initial XOR operation.

Cracking DES

Before DES was adopted as a national standard, during
the period NBS was soliciting comments on the proposed
algorithm, the creators of public key cryptography, Martin
Hellman and Whitfield Diffie, registered some objections to
the use of DES as an encryption algorithm. Hellman wrote:
"Whit Diffie and I have become concerned that the proposed
data encryption standard, while probably secure against
commercial assault, may be extremely vulnerable to attack by
an intelligence organization" (letter to NBS, October 22,
1975).

Diffie and Hellman then outlined a "brute force" attack
on DES. (By "brute force" is meant that you try as many of
the 2^56 possible keys as you have to before decrypting the
ciphertext into a sensible plaintext message.) They
proposed a special purpose "parallel computer using one
million chips to try one million keys each" per second, and
estimated the cost of such a machine at $20 million.

Fast forward to 1998. Under the direction of John
Gilmore of the EFF, a team spent $220,000 and built a
machine that can go through the entire 56-bit DES key space
in an average of 4.5 days. On July 17, 1998, they announced
they had cracked a 56-bit key in 56 hours. The computer,
called Deep Crack, uses 27 boards each containing 64 chips,
and is capable of testing 90 billion keys a second.

Despite this, as recently as June 8, 1998, Robert Litt,
principal associate deputy attorney general at the
Department of Justice, denied it was possible for the FBI to
crack DES: "Let me put the technical problem in context:
It took 14,000 Pentium computers working for four months to
decrypt a single message . . . . We are not just talking
FBI and NSA [needing massive computing power], we are
talking about every police department."

Responded cryptograpy expert Bruce Schneier: " . . .
the FBI is either incompetent or lying, or both." Schneier
went on to say: "The only solution here is to pick an
algorithm with a longer key; there isn't enough silicon in
the galaxy or enough time before the sun burns out to brute-
force triple-DES" (Crypto-Gram, Counterpane Systems, August
15, 1998).

Triple-DES

Triple-DES is just DES with two 56-bit keys applied.
Given a plaintext message, the first key is used to DES-
encrypt the message. The second key is used to DES-decrypt
the encrypted message. (Since the second key is not the
right key, this decryption just scrambles the data further.)
The twice-scrambled message is then encrypted again with the
first key to yield the final ciphertext. This three-step
procedure is called triple-DES.

Triple-DES is just DES done three times with two keys
used in a particular order. (Triple-DES can also be done
with three separate keys instead of only two. In either
case the resultant key space is about 2^112.)